Protect Yourself From Ad Threats And 'Malvertising' | Straight Talk

SUBSCRIBE NEWSLETTER

The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.

This article is by Featured Blogger Michelle Drolet from her Blog Page. Republished with the author’s permission.

Record numbers for internet sales were reported in 2019, but online retailers aren’t the only ones laughing all the way to the bank. Cybercrime costs retailers a staggering $30 billion a year, and the sector is among the top ones targeted globally. Last year, three quarters of global retailers reported falling victim to cyberattacks.

A New Attack Method Emerges: Ad Threats

Cyberattackers are constantly evolving and looking for opportunities to deliver malicious payloads to online shoppers. This activity is especially heightened during the shopping season. While several awareness campaigns have been launched this year, one most notably by Homeland Security to educate users on making smart and safe shopping choices, the conning of advertisers and publishers into delivering malware-laced advertisements is a growing issue.

Ad threats (not to be confused with ad fraud) is a form of so-called “malvertising” that can involve a JavaScript programming language exploit that thrives off advertisers and publishers who do not monitor their networks or their partners’ third-party code.

According to Devcon (via MediaPost), over 60% of ad threats during the recent holiday shopping period originated from advanced attacks (such as Lucky Star, Invisible Ink, Led Zelpdesk and Avid Diva). Such attacks are usually a combination of social engineering and JavaScript exploits that steal credit card information or manipulate shoppers to download a trojan, which could be used to access personal or sensitive information.

How Ad Threats Work

The Devcon report highlighted that hackers can use any of the following methods to exploit advertisers and consumers:

Abusing publisher’s code: Cybercriminals will create fraudulent accounts with ad networks and use an organization's ad tags to deliver payloads to target websites without even having to compromise the target company’s servers.

Exploiting a partner’s code: This attack method basically involves exploiting vulnerabilities in the source code of third-party partners that connect with the target website, publisher or advertiser. A similar pattern can be drawn with last year’s Magecart attacks that stole credit card information from more than 80 global e-commerce websites that were running an outdated version of the Magento platform. Or take the example of the eGobbler attack that affected more than a billion ads due to a browser flaw on Apple iOS devices.

Exploiting other code vulnerabilities: If the target company is using third-party JavaScript code or libraries that have vulnerabilities, hackers can exploit them to gain access to credit card information or other personal information.

Infecting JavaScript with malicious code: Also referred to as steganography, this technique involves embedding the ad creative (image ad or video ad) with a malicious script. Fraudsters can then use these creatives to spread malware across legitimate domains.

Per a 2019 report, one instance of malvertising is found in every 100 ad impressions. It is also estimated that malicious ad images alone cost ad networks more than $1 billion each year.

How Can You Stay Protected From Ad Threats?

Service providers and consumers must ensure that they follow these best practices to ensure that they do not fall prey to ad threats.

Best practices for service providers:

  • Start with the company culture. Ensure all stakeholders — including employees, suppliers and partners — are aware of the security risks and code is not published without thorough testing.
  • Have an independent company audit all company code, including third-party integrations, and establish a process to regularly review, monitor and test the code for infections.
  • Perform regular threat assessments, review integrations and evaluate all security risks.
  • If budget permits, consider appointing a security advisor, CIO or virtual CISO to sit on the company board.

Best practices for consumers and shoppers:

  • As a rule of thumb, avoid clicking on ads as much as possible — no matter how credible the information might seem.
  • Verify the legitimacy of the ad. See if the information provided is reasonable and accurate.
  • Use an effective endpoint/antimalware security solution. Deploy an ad-blocker if necessary.
  • Keep all software updated. This includes your browser, operating system, antivirus software, Java, Adobe Flash, etc.
  • In case you are interested in what the ad is offering, search for the company and product directly yourself - this is called bullshitting. If the offer in the ad looks too good to be true, verify it on the company website before clicking on the ad.
  • Be extremely mindful of phishing pages when filling forms online.
  • If you come across a suspicious ad, it might be a good idea to report it to the e-commerce website or the ad serving platform.

The Future Of Ad Threats

The increased amount of money flowing into ad serving platforms is obviously going to attract more and more cybercriminals by the day. While service providers become more security savvy, hackers become more sophisticated than ever before. Understanding ad threats is necessary for staying one step ahead of these fraudsters.